msgfix.exe help!

vebmetal · 12-30-2004, 12:20 PM

Hi, It seems to me that I have some kind of trojan / worm sitting in my computer. I keep getting a msgfix.exe process running in Task Manager taking about 3,052K. I have found the file in the following folders numerous times, but they keep coming back after I delete them.
C:/WINNT/SYSTEM32
C:/WINDOWS/SYSTEM32
C:/
D:/

Before I go on I am using the following:
Win2K SP4, PC-Cillin (latest definitons), Ad-Aware, Spybot, PrevX Intrusion prevention.

(I generally use Firefox, but occasionally use IE for certain pages).

I have looked the registry in places like HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ and have not found anything that I didn't recognize.

Full system virus scan doesn't find it. But the really strange thing is that when I locate and conduct a manual scan on the msgfix.exe file separately, Pc-cillin doesn't seem to come up with anything!!!! (It did however find another file in the system32 folder NAV.exe which had a TROJ_MULTIDRP.T virus).

Oh, other suspicious files I find with msgfix.exe are windae32.exe, winupddate.exe, MSsrvs32.exe etc.

HiJack This doesn't seem to find anything either, but here's the log.

HELP!

Logfile of HijackThis v1.98.2
Scan saved at 1:41:51 AM, on 12/31/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\PREVX\Prevx Home\PXAgent.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\PREVX\Prevx Home\SAGUI.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator.SYS\Desktop\Assorted\Hijack This 1_98_2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [PrevX Home] C:\Program Files\PREVX\Prevx Home\SAGUI.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\RunOnce: [East-Tec Eraser 2004] "C:\PROGRA~1\EAST-T~1\silent.exe" /R
O4 - Startup: AtomTimer.lnk = C:\Program Files\Atom Timer\AtomT.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CD88C2A-5878-4F9E-9039-DA2459722EB4}: NameServer = 202.56.215.6 202.56.230.6

MicroBell · 12-31-2004, 07:43 PM

If you have a highspeed connection please Run an online virus scan from TrendMicro Please select the “autoclean” option when prompted to do so.

Msgfix.exe is associated with the W32.Gaobot.SN worm. It has several files and registry entrys that will need removed. Please follow the process located here... http://securityresponse.symantec.com...gaobot.sn.html

12-30-2004, 12:20 PM	#1 (permalink)
vebmetal Registered User Join Date: Sep 2004 Posts: 14 OS: Win98	msgfix.exe help! Hi, It seems to me that I have some kind of trojan / worm sitting in my computer. I keep getting a msgfix.exe process running in Task Manager taking about 3,052K. I have found the file in the following folders numerous times, but they keep coming back after I delete them. C:/WINNT/SYSTEM32 C:/WINDOWS/SYSTEM32 C:/ D:/ Before I go on I am using the following: Win2K SP4, PC-Cillin (latest definitons), Ad-Aware, Spybot, PrevX Intrusion prevention. (I generally use Firefox, but occasionally use IE for certain pages). I have looked the registry in places like HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ and have not found anything that I didn't recognize. Full system virus scan doesn't find it. But the really strange thing is that when I locate and conduct a manual scan on the msgfix.exe file separately, Pc-cillin doesn't seem to come up with anything!!!! (It did however find another file in the system32 folder NAV.exe which had a TROJ_MULTIDRP.T virus). Oh, other suspicious files I find with msgfix.exe are windae32.exe, winupddate.exe, MSsrvs32.exe etc. HiJack This doesn't seem to find anything either, but here's the log. HELP! Logfile of HijackThis v1.98.2 Scan saved at 1:41:51 AM, on 12/31/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\CTsvcCDA.EXE C:\WINNT\System32\svchost.exe C:\WINNT\system32\nvsvc32.exe C:\Program Files\PREVX\Prevx Home\PXAgent.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\Program Files\PREVX\Prevx Home\SAGUI.exe C:\WINNT\system32\msgfix.exe C:\WINNT\explorer.exe C:\WINNT\system32\rundll32.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Administrator.SYS\Desktop\Assorted\Hijack This 1_98_2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL O4 - HKLM\..\Run: [PrevX Home] C:\Program Files\PREVX\Prevx Home\SAGUI.exe O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe" O4 - HKCU\..\RunOnce: [East-Tec Eraser 2004] "C:\PROGRA~1\EAST-T~1\silent.exe" /R O4 - Startup: AtomTimer.lnk = C:\Program Files\Atom Timer\AtomT.exe O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{7CD88C2A-5878-4F9E-9039-DA2459722EB4}: NameServer = 202.56.215.6 202.56.230.6

12-31-2004, 07:43 PM	#2 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,954 OS: Windows XP-Pro SP2	If you have a highspeed connection please Run an online virus scan from TrendMicro Please select the “autoclean” option when prompted to do so. Msgfix.exe is associated with the W32.Gaobot.SN worm. It has several files and registry entrys that will need removed. Please follow the process located here... http://securityresponse.symantec.com...gaobot.sn.html __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder